Any-point-to-any-point (&#34;AP2AP&#34;) quantum key distribution protocol for optical ring network

ABSTRACT

A QKD node in an optical ring network enables distribution of quantum keys between node pairs having neither photon sources nor photon detectors. The QKD node transmits corresponding pulses P 1  and P 2  into the ring network in opposing directions. A first node (Alice) of the pair randomly modulates pulse P 1  and a second node (Allie) of the pair randomly modulates pulse P 2 , each with phases selected from two encoding bases: B 1 (0, π) and B 2 (π/2, 3+/2). Node Allie then publicly signals to node Alice and the QKD node to indicate which bases were used for encoding QKD bits in sequence, for example, B 1,  B 2,  B 2,  B 1,  etc. Node Alice compares the encoding types used by node Allie and publicly signals to nodes Allie and Bob to indicate which encoding types match. The QKD node then deletes all mismatched measurements, and nodes Allie and Alice also delete the corresponding bits. The QKD node then publicly signal to nodes Allie and Alice to indicate the XOR bit string. Nodes Allie and Alice negotiate which is going to do the XOR to their key bit string. After the XORing operation, nodes Allie and Alice form a shifted key and they start quantum error correction and privacy amplification procedures to form a final secret key. Further, the QKD node may modulate a secret key Φs into pulse P 1  before transmission, and into pulse P 2  after receipt, to facilitate security and detection of an eavesdropping attack.

FIELD OF THE INVENTION

This invention relates generally to the field of network communications, and more particularly to cryptology.

BACKGROUND OF THE INVENTION

Public key encryption is currently a popular technique for secure network communications. Public key encryption utilizes “one-way functions” that are relatively simple for computers to calculate, but difficult to reverse calculate. In particular, a one way function f(x) is relatively easy for a computer to calculate given the variable x, but calculating x given f(x) is difficult for the computer, although not necessarily impossible. Some one way functions can be much more easily reverse calculated with the assistance of particular “trap door” information, i.e., a key. Public key cryptography utilizes such one-way functions in a two-key system in which one key is used for encryption and the other key is used for decryption. In particular, the one-way function is a “public key” which is openly advertised by Node A for the purposes of sending encrypted messages to Node A. The trap door is a “private key” which is held in confidence by Node A for decrypting the messages sent to. Node A. For two-way encrypted communications each node utilizes a different public key and a different private key. One advantage of this system is that secure key distribution is not required. However, advances in the capabilities of computers tend to erode the level of security provided by public key encryption because the difficulty of reverse calculating the one-way function decreases as computing capabilities increase.

It is generally accepted in the field of cryptology that the most secure encryption technique is the Vernam cipher, i.e., one-time pad. A Vernam cipher employs a key to encrypt a message that the intended recipient decrypts with an identical key. The encrypted message is secure provided that the key is random, at least equal to the message in length, used for only a single message, and known only to the sender and intended receiver. However, in modern communication networks the distribution of Vernam cipher keys is often impractical, e.g., because the keys can be quite long and key distribution itself is subject to eavesdropping.

One technique for secure key distribution is known as Quantum Key Distribution (“QKD”). Particular Quantum Key Distribution protocols such as BB84 enable secure key exchange between two devices by representing each bit of a key with a single photon. Photons may be polarization-modulated in order to differentiate between logic 1 and logic 0. Distribution of the quantum keys is secure because, in accordance with the laws of quantum physics, an eavesdropper attempting to intercept the key would introduce detectable errors into the key since it is not possible to measure an unknown quantum state of a photon without modifying it. However, the network resources required to implement QKD are relatively costly. In particular, each network device that implements current QKD techniques requires a photon source and a photon detector.

SUMMARY OF THE INVENTION

In accordance with the invention, apparatus for distributing a quantum key between a first node and a second node in an optical ring communications network comprises: an enabler node with a photon source operable to generate a base pulse; a splitter operable to split the base pulse into corresponding pulses P₁ and P₂; a port operable to transmit pulse P₁ and pulse P₂ into the network, pulse P₁ being modulated by the first node with phases selected from two encoding bases and pulse P₂ being modulated by the second node with phases selected from the two encoding bases, the port being further operable to receive modulated pulses P₁ and P₂; a receiver operable to receive an indication, from the first node, of which bases were employed by the first node, and also to receive an indication from the second node of base matches relative to the bases employed by the second node, and control logic operable to remove mismatches from consideration and communicate with at least one of the first and second nodes to indicate a remaining XOR bit string, following which one of the first and second nodes performs an XOR on their respective bit string, and the first and second nodes form a shifted key.

A method in accordance with the invention for distributing a quantum key between a first node and a second node in a communications network, comprises the steps of: generating a base pulse with a photon source; splitting the base pulse into corresponding pulses P₁ and P₂ with a splitter; transmitting pulse P₁ and pulse P₂ via a port into the network; modulating pulse P₁ by the first node with phases selected from two encoding bases; modulating pulse P₂ by the second node with phases selected from the two encoding bases; receiving, via the port, modulated pulses P₁ and P₂, receiving an indication from the first node of which bases were employed by the first node; receiving an indication from the second node of base matches relative to the bases employed by the second node; removing mismatches from consideration; and communicating with at least one of the first and second nodes to indicate a remaining XOR bit string, following which one of the first and second nodes performs an XOR on their respective bit string, and the first and second nodes form a shifted key.

The invention improves QKD in a communications network by obviating the need for the network nodes in a QKD pair to have a photon source and a photon detector. In particular, a QKD node with a photon detector and photon source employs those resources on behalf of node pair to establish a key for the node pair. Since the QKD node can perform QKD services on behalf of any of various node pairs in the network, a single set of relatively costly photon source and photon detector resources can be leveraged to support a relatively large number of lower cost devices. Further, the QKD node need not be fully trusted by the node pair because the QKD node does not learn the key in the course of supporting QKD for the node pair. Further, the QKD node can detect attempted eavesdropping by modulating a secret phase key into one of the pulses prior to transmission and modulating the same secret phase key into the other pulse after its returning to the QKD node.

BRIEF DESCRIPTION OF THE FIGURES

FIGS. 1 and 2 are block diagrams illustrating distribution of a quantum key between node Allie and node Alice with node Bob as enabler, wherein FIG. 1 shows processing of pulse P₁ in detail and FIG. 2 shows processing of pulse P₂ in detail.

FIGS. 3 and 4 illustrate key decoding in greater detail.

DETAILED DESCRIPTION

FIG. 1 illustrates an optical ring network including nodes Bob (100), Alice (102), Anna (104), and Allie (106). Node Bob (100) includes a photon source such as a laser diode (108), photon detectors (110-D0, 110-D1), an attenuator (112), a coupler (114), and a phase modulator (116). Node Alice (102) includes an Optical Add/Drop Multiplexer (“OADM”) (118) and a phase modulator (120). Similarly, node Anna (104) includes an OADM (122) and a phase modulator (124), and node Allie (106) includes an OADM (126) and a phase modulator (128).

Node Bob (100) functions as a Quantum Key Distribution (“QKD”) enabler for pairs of nodes in the network. In particular, node Bob enables any pair of nodes in the network to exchange quantum keys even though those nodes have neither a photon source nor a photon detector. Node Bob accomplishes this task by transmitting corresponding pulses around the loop for independent modulation by the node pair, and then indicating correlation of the modulation to the node pair.

QKD is initiated by node Alice (102) and node Allie (106) each signaling a request to node Bob (100). In response to the request, node Bob generates a source pulse (130) with the laser diode (108). The source pulse is then attenuated by attenuator (112) such that a suitable average number of photons per pulse is set. The attenuated pulse is then split by the coupler (114), resulting in corresponding pulses P₁ and P₂. Pulse P₁ is then phase-modulated using phase modulator PM_(b) (116) with a randomly generated secret phase key Φ_(s). Pulse P₁ is transmitted on the optical loop in a first direction, i.e., toward node Alice (102), and pulse P₂ is transmitted on the optical loop in a second direction, i.e., toward node Allie (106). Further, signaling from node Bob instructs node Alice to process pulse P₁ (and not pulse P₂), and node Allie to process pulse P₂ (and not pulse P₁).

Node Alice is operable upon receipt of pulse P₁ to drop the pulse into an inner loop via the OADM (118). Node Alice then modulates pulse P₁ using the phase modulator PM_(a) (120). In particular, node Alice randomly modulates pulse P₁ with the phase modulator thereby introducing phase Φ₁ selected from two encoding bases: B1(0, π) and B2(π/2, 3π/2). The resulting pulse P₁, having phase Φs+Φ₁, is returned to the optical ring via the OADM (118). Nodes Anna and Allie pass, pulse P₁ through their respective OADMs (122, 126). Hence, pulse P₁ eventually returns to node Bob (100), where it is directed to the coupler (114).

Referring now to FIG. 2, node Allie (106) is operable in response to receipt of pulse P₂ from node Bob (100) to drop the pulse into an inner loop via the OADM (126). Node Allie then modulates pulse P₂using the phase modulator PM_(a) (128). In particular, node Allie randomly modulates pulse P₂ with the phase modulator thereby introducing phase Φ₂ selected from two encoding bases: B1(0, π) and B2(π/2, 3π/2). The resulting pulse P₂, having phase Φ₂, is returned to the optical ring via the OADM. Nodes Anna and Alice pass pulse P₂ through their respective OADMs (122, 118). Hence, pulse P₂ eventually returns to node Bob.

Node Bob is operable upon receipt of pulse P2 to direct the pulse to the phase modulator PM_(b) (116), where pulse P₂ is modulated with Φs, resulting in a pulse P₂ having phase Φs+Φ₂. Pulse P₂ is then directed to the coupler (114), where a comparison is made with pulse P₁ with the assistance of the detectors (110). The phase shift difference (“ΔΦ”) between P₁ and P₂ at coupler is ΔΦ=(Φs+Φ₂)−(Φs+Φ₁)=Φ₂−Φ₁. When the two pulses P₁ and P₂ are combined into one pulse, ΔΦ=0 indicates constructive interference which triggers detector D0, and ΔΦ=π indicates destructive interference which triggers detector D1. This information is employed for key decoding.

FIGS. 3 and 4 illustrate one technique for key decoding in further detail. Following the measurements described above, node Allie (or alternatively node Alice) publicly signals to her counterpart, node Alice (or alternatively node Allie) and the QKD enabler node Bob to indicate, in sequence, which bases were used for encoding the QKD bits, for example, B1, B2, B2, B1, etc. The enabler node Bob takes no further action until receiving a response signal from node Alice. In particular, node Alice compares node Allie's encoding types with her encoding types and publicly signals to nodes Allie and Bob to indicate which encoding types match, i.e., measurement/result=match. The enabler node Bob then deletes all QKD bits for which the measurement/result=mismatch, i.e., ΔΦ=π/2 and ΔΦ=3π/2. Nodes Allie and Alice also delete the mismatched measurements. From FIGS. 3 and 4 it can be seen that, if the enabler node Bob detects ΔΦ=0→0, then nodes Allie and Alice employed the same key bit value, 0 or 1, but node Bob does not know its actual value. However, if node Bob detects ΔΦ=π→1, then nodes Allie and Alice employed an inverse key value so one of them must flip the value in order to match. Again, node Bob does not know its actual value. What this means is that node Bob's measurements do not indicate the QKD key bit values, but rather node Bob's measurements indicate the XOR between Allie's and Alice's key. Therefore, node Bob publicly signal to nodes Allie and Alice to indicate the XOR bit string of QKD bits for which measurement/result=XOR, i.e., ΔΦ=π. Nodes Allie and Alice then negotiate which is going to do the XOR to their key bit string. After the XORing operation, nodes Allie and Alice form a shifted key and they start quantum error correction and privacy amplification procedures to form a final secret key.

Referring now to FIGS. 1 through 4, the use of the secret phase key Φs facilitates detection of attempted eavesdropping. For example, a potential eavesdropper node Anna would need to decode the secret phase key Φs, split pulse P₂ (which is not modulated with the secret phase key Φs), split pulse P₁ (which is modulated with Φs), and then randomly modulate a phase to one of the pulses and combine two pulses to recreate the original photon or photons. However, because of the randomness of the modulation Anna would require a relatively large number of attempts to reach the solution. Such a large number of attempts can be made unavailable to Anna because Bob attenuates the pulses to a certain level, such as μ=10. Further, the eavesdropping attempts by Anna will tend to increase the Quantum Bit Error Rate (“QBER”), which can be detected by node Bob.

One result of the described technique is that node Bob does not learn the phase modulated bases used by nodes Alice and Allie for the QKD. In particular, the participation and measurements of node Bob do not directly result in the key, and thereby provide node Bob with the key. Rather, node Bob's measurements reveal only the XOR between the two keys of Allie and Alice to node Bob. Consequently, node Bob need not be fully trusted by nodes Alice and Allie in order to be utilized as an enabler for QKD. This aspect of the invention could be advantageous in shared networks.

While the invention is described through the above exemplary embodiments, it will be understood by those of ordinary skill in the art that modification to and variation of the illustrated embodiments may be made without departing from the inventive concepts herein disclosed. Moreover, while the preferred embodiments are described in connection with various illustrative structures, one skilled in the art will recognize that the system may be embodied using a variety of specific structures. Accordingly, the invention should not be viewed as limited except by the scope and spirit of the appended claims. 

1. Apparatus for distributing a quantum key between a first node and a second node in a communications network, comprising: a photon source operable to generate a base pulse; a splitter operable to split the base pulse into corresponding pulses P₁ and P₂; a port operable to transmit pulse P₁ and pulse P₂ into the network, pulse P₁ being modulated by the first node with phases selected from two encoding bases and pulse P₂ being modulated by the second node with phases selected from the two encoding bases, the port being further operable to receive modulated pulses P₁ and P₂; a receiver operable to receive an indication, from the first node, of which bases were employed by the first node, and also to receive an indication from the second node of base matches relative to the bases employed by the second node; and control logic operable to remove mismatches from consideration and communicate with at least one of the first and second nodes to indicate a remaining XOR bit string, following which one of the first and second nodes performs an XOR on their respective bit string, and the first and second nodes form a shifted key.
 2. The apparatus of claim 1 wherein the communications network is a ring network, and further including logic operable to direct pulses P₁ and P₂ into the ring in opposite directions.
 3. The apparatus of claim 1 further including a phase modulator operable to modulate pulse P₁ with a secret phase key before transmitting the pulse into the network.
 4. The apparatus of claim 3 wherein the phase modulator is further operable, after receiving pulse P2 from the network, to modulate pulse P₂ with the secret phase key before the comparator is employed to compare the pulses.
 5. The apparatus of claim 4 further including control logic operable to indicate potential eavesdropping based on quantum bit error rate.
 6. The apparatus of claim 1 further including an attenuator operable to reduce the number of photons in the pulse.
 7. The apparatus of claim 1 wherein the first node is operable to indicate to the second node which base types were used by the first node.
 8. The apparatus of claim 7 wherein the second node is operable to compare base types used by the first node with base types used by the second node, and to indicate base type matches to the control logic and the first node.
 9. The apparatus of claim 8 wherein the control logic is further operable to remove mismatched bits.
 10. The apparatus of claim 9 wherein the control logic is further operable to indicate to the first node which bits are neither matched nor mismatched.
 11. A method for distributing a quantum key between a first node and a second node in a communications network, comprising the steps of: generating a base pulse with a photon source; splitting the base pulse into corresponding pulses P₁ and P₂ with a splitter; transmitting pulse P₁ and pulse P₂ via a port into the network; modulating pulse P₁ by the first node with phases selected from at least two encoding bases; modulating pulse P₂ by the second node with phases selected from the at least two encoding bases; receiving, via the port, modulated pulses P₁ and P₂; receiving an indication from the first node of which bases were employed by the first node; receiving an indication from the second node of base matches relative to the bases employed by the second node; removing mismatches from consideration; and communicating with at least one of the first and second nodes to indicate a remaining XOR bit string, following which one of the first and second nodes performs an XOR on their respective bit string, and the first and second nodes form a shifted key.
 12. The method of claim 11 wherein the communications network is a ring network, and further including the step of directing pulses P₁ and P₂ into the ring in opposite directions.
 13. The method of claim 11 further including the step of modulating pulse P₁ with a secret phase key before transmitting the pulse into the network.
 14. The method of claim 13 further including the step of, after receiving pulse P₂ from the network, modulating pulse P₂ with the secret phase key before the comparator is employed to compare the pulses.
 15. The method of claim 14 further including the step of monitoring quantum bit error rate to detect potential eavesdropping.
 16. The method of claim 15 further including the step of reducing the number of photons in the pulse.
 17. The method of claim 11 further including the step of indicating, by the first node to the second node, which base types were used by the first node.
 18. The method of claim 17 further including the step of comparing, by the second node, base types used by the first node with base types used by the second node, and indicating base type matches to the control logic and the first node.
 19. The method of claim 18 further including the step of removing mismatched bits.
 20. The method of claim 19 further including the step of indicating to the first node which bits are neither matched nor mismatched. 